Sunday

Q How do I get the "Best Offers Direct" ads off my PC? My anti-spyware program can find the program behind them, but it keeps crawling back.

AThis Windows-only pest -- earlier known as "Aurora" and "A Better Internet" -- exhibits a vile degree of tenacity in its mission of littering your screen with pop-up ads.

Uninstalling the "free" software that inflicted Best Offers on your computer (currently, FunScreenz, iWatchNow and Smiley Source) won't work. The Best Offers application itself burrows deeply into Windows to defy removal attempts, and its creator, New York-based Direct Revenue LLC, revises it often to evade anti-spyware tools.

For example, a copy of Best Offers installed on a test laptop went undetected by Microsoft AntiSpyware, Ad-Aware SE Personal Edition and Spybot Search & Destroy. (A trial version of Webroot's Spy Sweeper did identify it.)

The most effective counterattack is to use Windows XP's System Restore utility: From the Start Menu, select All Programs, then Accessories, then System Tools. But if it's been a while since Best Offers began bugging you, that may not work. Direct Revenue also provides an uninstall utility on its site, which seemed to work in one test. But this company's conduct gives us little reason to trust it.

If you can't get this parasite off your machine on your own, you may need to destroy your PC in order to save it. Back up your own data to a CD, DVD, USB memory key or external hard drive, then use your Windows CD (or the system-recovery partition on your hard drive) to wipe your computer and reinstall everything from scratch.

To avoid that kind of radical treatment, be careful about using allegedly free software from strange sites -- and in particular any part of the "Best Offers Network." --Rob Pegoraro

These directions DO work for Trojan.Vundo (no 'B') and Vundu as well!

Ok, first off, for those of you who are lucky enough never to have ran into this trojan, I'll explain it a little. It's basically a trojan that ties into adware that, once a machine is infected, causes many popups to be displayed. Even more horrible, if you have Norton Antivirus, you don't get popups, but ever 1 to 2 seconds you get a warning from Norton saying it stopped the trojan, however, it can't fix it (so what's new?).

To top it off, Symantec says it has a fix for this virus, but it actually does not work (so says me and hundreds of other users who have tried it online and only have complaints).

However, thanks to my brother who sadly got his computers (yes, plural...he got both his desktop and laptop infected... which means this virus is REALLY easy to get because my brother is extremely paranoid, safe, and careful online), I got the opportunity to sit back and try to figure out a way to get rid of this little monster.

It took me a little over 3 hours, but I'm happy to say that I have figured out how to remove the virus efficiently and effectively on both computers running different versions of Windows XP; needless to say I'm pretty confident about my tutorial.

First off, you're going to need to grab these two tools:

1. Process Explorer
2. Pocket Killbox

To keep things simple, I have zipped and uploaded both of them together to HERE (for now I'll be using FileFront.com until NerdHelp.com gets a secured download page)

Alright, once you get those downloaded, follow these instructions (You should read through these instructions first, then print them out because you will need to reboot your computer):

Step 1:
First what you need to do is get the security alert that says you are infected and then copy down the name of the file it says is infected. In my case, I am infected in c:\windows\system32\ddccd.dll **WRITE THIS DOWN!**

Step 2 (This step will require you to reboot your computer, so make sure you've printed these instructions):
You need to set your computer up to always boot into safemode during this removal process. If you know how to do this, do it and go to Step 3, if you don't, follow THESE INSTRUCTIONS, then continue to Step 3.

Step 3:
After you set you're computer to always boot into Safemode, you should have followed the prompt to reboot your system. If so, you should be in safemode now, if not, you need to reboot your computer now.

First thing to get done is to open all of the following programs and processes:
- Process Explorer
- Pocket Killbox
- Windows Explorer or My Computer (something to give you the ability to browse through your computer)
- Registry Editor (to get this, go to Start then Run then type regedit and hit enter)

Step 4:
Once all the things in Step 3 are open, go to Process Explorer and find the explorer.exe process on the list. Right click it and click the "kill" option. (this will kill your windows shell, that's why you opened everything needed in this tutorial in Step 3). **You can still switch back and forth between programs by holding alt and hitting the TAB key**

Step 5:
Go to the Registry Editor and delete the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name]

Note: [Trojan File Name] is the name of the DLL minus the ".dll" part. In my case, the folder was called DDCCD.

Step 6:
Go back to Process Explorer and find the process called "winlogon.exe". Double click it to open up another window that has 8 tabs on the top. Click the tab that says "threads". In this tab you will see a bunch of stuff listed under "Start Address". There should be about 4 of them (might be more, might be less, either way, follow the directions) that will have the name of your trojan.dll file. One by one, click each trojan dll file in the list, then click the "Kill" button. When all are gone, click the "ok" button at the bottom to close that window and go back to the Registry Editor.

Step 7:
Now, the next key hides in the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ part of the registry. To find the specific key, in the Registry Editor window, click on the top "My Computer" icon in the list, then go to "Edit" on the top bar, then click "find" and search for the trojan name. In my case, I will search for ddccd.

Step 8:
It may take a while to scan (depending on your processor speed and what not), but it should find a file in that registry tree I mentioned above. It will open the folder up so you know which one it found it in. In my case, it found the tree "{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}". Write down that name, then delete the tree.

Step 9:
Now, you have to delete one more registry key that is hiding in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\ . Go there and look for the same file tree as the one you just deleted, in my case I'm looking for "{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}". Find it and remove it.

Step 10:
Go to your Pocket Killbox and type into the "Full Path of File to Delete" box:
c:\windows\system32\[Your trojan DLL file here]

In my case, I typed: c:\windows\system32\ddccd.dll

Next, click "Delete on Reboot" and check the "End Explorer Shell While Killing File".

Click the red circle with a white X to kill the file and follow the prompts to continue with the kill.

Step 11:
It may take a minute or so for your system to finally reboot, but when it does it will be in SafeMode again (this is good).

Step 12:
When your computer completely reboots, open up Process XP again and double click on the WinLogon.exe file again then go back to Threads. If you do not see your trojan dll file in there, then congratulations, you're almost clean!

Step 13:
Just one more step. You should, before you reboot into regular windows, scan your computer for the DLL file. It likes to copy itself into folders, so seek it out and destroy it. In both computers I have cleaned, it hid itself in C:\!Submit, however, it may be different for you, so scan. After you delete where it copied itself, or verified its not on your system anymore, go onto the next step.

Step 14:
Go back to Start, click run, type msconfig, and go to the Boot.ini tab and uncheck the safeboot mode option. You're all set to reboot.

Finished.

When you're computer reboots into the normal mode, you should not get any more warnings about the virus, nor should you get any popups. In both computers I fixed using my tutorial, I scanned them after fixing and only a small trace of the trojan was found in a temporary Internet folder, so just delete your temporary internet files and you will be all clean.

Posted at 02:40 PM ET, 12/22/2005

Give the Gift of Security

This holiday season, many readers will no doubt be giving or receiving Windows desktop and laptop computers -- machines that, despite Microsoft's best efforts, will still take a significant amount of tweaking to ensure they are sufficiently secure against hackers, viruses and worms.

If you are giving a PC as a gift this year, consider pulling it out of the box and handling the tweaking process yourself on behalf of the recipient. That way, you can be sure that your loved ones won't put off these important precautions until it's too late.

There are several steps users should take before doing anything else with a new Windows PC:

* Set up and use a non-administrator account: When you (or your children) browse the Web using one of these, spyware and other unwanted programs have a much harder time getting their hooks into your system because the account does not have privileges to install programs.

The importance of using a non-admin account for everyday functions like Web browsing cannot be overstated from a security perspective. Also, you should take this step before you do anything else, because it's a lot more work once you've installed a bunch of software and saved tons of files.

When you first fire up an XP computer, it will prompt you to create accounts for each person who will use the computer. The problem is that each account will automatically be given administrator status and will not be protected by a password.

Go ahead and create an account with whatever name you want. Then, when you're at the Windows desktop, click on "Start," "Settings," then "Control Panel" (or just "Start" then "Control Panel") and then "User Accounts."

Next, change the newly created account to a limited-user account. Click on the account name and select "Change the account type" from the options page that comes up, then select "Limited" from the next page and click on the tab that says "Change Account Type." That will return you to the account options page. From there, click on the "Create a Password" option.

You will be prompted to enter a password twice, and you'll have the option of entering a hint in case you forget your password. That page has tips on creating strong passwords, and Security Fix also has its own advice in a password primer. You should do this for every account you manually create at the startup screen.

When you're done, click the "back" button on the left side to return to the main User Accounts page. You should see three accounts there now: Administrator, Guest, and whatever name you assigned to the account you created.

On Windows XP Home, the Guest account will be disabled, but this doesn't quite lock it down. We want to assign a password to it. To do this, click on "Start," select "Run," then in the window that pops up type "cmd" to make a command prompt window pop up. At the prompt, type "net user guest (password)" replacing (password) with the password you want to assign to it (and again, don't include the quotes or braces).

If you do want to install a program while running the PC under a limited user account, right-click on the installation file and select "Run As," then select the account with administrator rights ("Administrator" by default, but if you're really paranoid like me you might consider renaming that to something less obvious), and enter the password for that account.

(Helpful hint: When installing new programs this way, if you change the default installation location (usually C:\Program Files) to your "Shared Documents" folder, you should have few problems using any program you install from any account you wish.)

* Use a Firewall: All recently purchased new PCs should already have Microsoft's Service Pack 2 installed, which means the built-in Windows firewall will be activated automatically. This firewall, however, mainly blocks just inbound traffic, and does little to stop programs -- good or bad -- from "phoning home" or otherwise sending data out of your machine.

Consider downloading and installing a third-party firewall product. A number of these do a great job of helping you determine which programs should have access to your Internet connection, and there are still quite a few free firewall options, including Kerio (http://www.kerio.com/us/kpf_download.html), Outpost Firewall Free, 8Signs, Tiny Personal Firewall, Jetico and Zone Alarm Free.

Wireless routers also can add a solid layer of protection, as most include a built-in firewall that should stop all unwanted incoming traffic from even seeing your PC on the Net. If you intend to use a laptop around the house with your Wi-Fi connection, be sure to follow the vendor's instructions for setting up encryption and securing the router with a strong password (do not make the password the same as your user name!).

Microsoft has a pretty good tutorial for wireless-router encryption setup, including instructions broken down by each of the major wireless hardware makers.

* Download and install all available Windows security patches: Again, most Windows XP machines sold today should have Service Pack 2 installed. This means that when you start it up for the first time, the machine should ask whether you want to enable automatic updates from Microsoft.

The default setting is for Windows to download updates when they become available, then prompt you to install them (and reboot) at your leisure. Whether you choose to accept the default setting or let Microsoft fully automate the process for you is a personal decision, but if you're setting this PC up for a relative who is not too security-savvy, it might be best to select "automatic."

Due to the lag time between the date the PC rolls off the production line and the time it is sold in the store, most new Windows PCs will lack at least a handful of essential security updates, and could be missing dozens of critical patches.

I strongly recommend that users visit the Microsoft Update Web site and download and install all available "critical" security patches, rather than waiting for Windows Update to get around to the process. This can take up to several hours, which is plenty of time for attackers to find and seize control of a vulnerable computer.

* Use and update antivirus software: If the PC comes with a free 60- to 90-day trial of antivirus software -- as most do these days -- make sure the software is equipped with the latest virus definition updates.

You might also consider simply removing the software and installing a free antivirus program. I say this because I have seen far too many users continually ignore the renewal prompts when their trial subscription expires, leaving their machine increasingly vulnerable.

Also consider downloading and using anti-spyware software. Microsoft's Anti-Spyware beta is still free, and should work just fine for the majority of users. Other good (and free) options include AdAware Personal and Spyware Blaster.

Finally, if you need help setting up your antivirus, anti-spyware or firewall programs, check out our video guides to securing your PC.

Failure to follow these basic security precautions could allow your PC to fall victim to viruses, worms or spyware -- or worse yet, to be ensnared by "bot" programs that allow attackers to control your machine remotely.

According to antivirus vendor Symantec Corp., the number of bot networks increased more than sixfold in the New Year compared with December 2004, a spike it said could be attributed to new, unprotected PCs appearing online in the New Year.